today I received like 30 messages within 5 minutes telling me that some mail I send could not be delivered, mostly to *.ru email addresses which I did not send any mail to. I have my own webserver (postfix/dovecot) set up using this guide (http://workaround.org/ispmail/lenny) but adjusted a little bit for Ubuntu.

I tested whether I am an Open Relay which I am apparently not. Now there are two possible reasons for the above mentioned emails: Either I am sending out spam, or somebody wants me to think that, correct?

How can I check this?

I selected one particular address that I supposedly send spam to. Then I searched my mail.log for this entry. I found two blocks that record that somebody from the server connected to my server and delivered some message to two different users. I cannot find an entry reporting that anyone from my server send an email to that server. Does this mean its just some mail to scare me or could it still have been send by me in the first place?

Here is one such block from the log (I replaced some confidential stuff):

2 Answers
2

Sounds like backscatter (and that log looks pretty innocent, certainly no relaying), meaning that messages would not be sent by your server, but an address in your domain would be used as a spoofed From: address.

Do any of the non-delivery report messages include the original message header? If so, you should be able to verify that the messages aren't being relayed through your system.

Unfortunately, controlling backscatter is pretty difficult if it's persistent. In my experience they usually back off of using a spoofed address after a matter of days or weeks, but it's very hard to block the messages without blocking legitimate NDR messages.

Agreed, it doens't look like a relay attempt. In rare cases, you can get away with shutting down the TLD by doing a REJECT for it, although you end up blocking an entire country in the process. If there is no need to contact people in the .ru TLD, just put a temporary block for it that does a REJECT until the storm passes. After a week or two, just pull it out.
–
Avery PayneJun 27 '11 at 17:24

Do you searched for your ip in blacklists? For example you can do it here http://www.mxtoolbox.com/blacklists.aspx
Also, virus from local network can send smap passing your server. Also, you can block destination tcp port 25 from local net on your firewall and then look in the log of who had sent to port 25